The Cyber Resilience Act applies to every product with digital elements placed on the EU market — including software, connected hardware, and firmware. There is no startup exemption. Article 13 places 22 obligations on the manufacturer. Article 31 requires technical documentation per Annex VII before market placement. Article 28 requires an EU declaration of conformity. Article 32 specifies the conformity assessment procedure. For most startup products, Module A (self-assessment) applies. CRACheck generates all eight documents in 15–25 minutes for a one-time payment of €149. Article 33 acknowledges the burden on startups and requires Member States to provide support and proportionate conformity assessment fees.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Article 2(1) covers products with digital elements made available on the market. The definition in Article 3(1) includes "software or hardware product and its remote data processing solutions." If your SaaS product includes client-side software (app, browser extension, SDK) or if a component is placed on the market, the CRA may apply. Recital 12 provides further context on remote data processing.
Article 13(12) is explicit: the technical documentation must be drawn up before placing the product on the market. The conformity assessment must be completed before market placement. Launching first and documenting later is a violation from day one, exposing you to Article 64(3) penalties of up to €10M or 2% of turnover.
Article 13(5) requires manufacturers to exercise due diligence when integrating open-source components. You must assess the cybersecurity impact of every open-source dependency and document it in the SBOM per Part II, point (1) of Annex I.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
First question for any startup: is your product default or Important? The classifier answers this based on Annex III and IV mapping. Most software startups will be default — Module A.
Your first regulatory document ever, and CRACheck makes it structured from the start. Covers all 8 Annex VII elements adapted to your product's complexity level.
Maps your product against Annex I Part I. For a startup, this doubles as a security architecture review. The process of filling it out reveals gaps you might not have considered.
Annex II's 9 information items: contact details, vulnerability reporting channel, product name and version, intended purpose, known risks, declaration link, support period, security instructions, and SBOM access.
Per Article 28 and Annex V. For software, Article 30(1) allows CE marking on the declaration or your website.
Your coordinated vulnerability disclosure policy. For startups, this establishes a professional vulnerability handling process from day one.
Article 14 ENISA reporting structure. Operational from 11 September 2026. Better to have it ready before your first incident. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Maps your launch date against CRA enforcement dates, support period milestones, and documentation retention requirements.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
Produces every document the CRA requires before market placement: technical file, risk assessment, declaration, user information, CVD policy, ENISA template. Designed for founders who have never done regulatory documentation before.
CRACheck documents your declarations, not your security engineering. The 13 requirements in Part I of Annex I (secure by default, encryption, data minimisation, update mechanisms, access control) must be implemented in your product. The documentation records how you implement them. Implementation is engineering work.
CRACheck gets the paperwork right. Your engineering team gets the product right. Both must happen before launch.
Article 64 of Regulation (EU) 2024/2847.
Non-compliance with Annex I or Articles 13/14.
Missing documentation (Art. 31), declaration (Art. 28), or incorrect conformity assessment (Art. 32).
Misleading information to authorities.
| Criterion | Launch without CRA compliance | Free online checklist | Regulatory lawyer | CRACheck |
|---|---|---|---|---|
| Legal exposure after launch | Maximum (Art. 64) | Reduced awareness but no documentation | Minimised, but €15K+ | Minimised at €149 |
| Time to first draft | N/A | Hours of research, no output | 8–16 weeks | 15–25 minutes |
| Founder time required | 0 (plus maximum risk) | 20+ hours | 10+ hours in meetings | 1 hour total |
| Output quality | None | Notes, not structured docs | Custom report | 8 structured PDFs per Annex VII |
Many startups iterate and pivot. Each new product with digital elements needs its own CRA documentation. Pack of 10: €99 per product.
Request Volume PricingCRACheck generates a structured document based on Article 31 and Annex VII of Regulation (EU) 2024/2847 from the data you provide. The accuracy of that data is your responsibility as the manufacturer.
We guarantee that the document structure follows Article 31 and Annex VII and that all cited legal references are correct. We do not guarantee acceptance by a specific market surveillance authority or investor due diligence reviewer.
CRACheck is not legal advice. For startup-specific regulatory questions, consult a qualified professional.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.